Browse > Article
http://dx.doi.org/10.13089/JKIISC.2012.22.5.1191

Threat Analysis based Software Security Testing for preventing the Attacks to Incapacitate Security Features of Information Security Systems  

Kim, Dongjin (Dankook University)
Jeong, Youn-Sik (Dankook University)
Yun, Gwangyeul (Dankook University)
Yoo, Haeyoung (Dankook University)
Cho, Seong-Je (Dankook University)
Kim, Giyoun (A3SECURITY)
Lee, Jinyoung (Korea Internet Security Agency)
Kim, Hong-Geun (Korea Internet Security Agency)
Lee, Taeseung (Sungkyunkwan University)
Lim, Jae-Myung (Korea Internet Security Agency)
Won, Dongho (Sungkyunkwan University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.22, no.5, 2012 , pp. 1191-1204 More about this Journal
Abstract
As attackers try to paralyze information security systems, many researchers have investigated security testing to analyze vulnerabilities of information security products. Penetration testing, a critical step in the development of any secure product, is the practice of testing a computer systems to find vulnerabilities that an attacker could exploit. Security testing like penetration testing includes gathering information about the target before the test, identifying possible entry points, attempting to break in and reporting back the findings. Therefore, to obtain maximum generality, re-usability and efficiency is very useful for efficient security testing and vulnerability hunting activities. In this paper, we propose a threat analysis based software security testing technique for evaluating that the security functionality of target products provides the properties of self-protection and non-bypassability in order to respond to attacks to incapacitate or bypass the security features of the target products. We conduct a security threat analysis to identify vulnerabilities and establish a testing strategy according to software modules and security features/functions of the target products after threat analysis to improve re-usability and efficiency of software security testing. The proposed technique consists of threat analysis and classification, selection of right strategy for security testing, and security testing. We demonstrate our technique can systematically evaluate the strength of security systems by analyzing case studies and performing security tests.
Keywords
Vulnerability; Security Testing; Threat Analysis; Penetration Testing; Self-protection; Non-bypassability;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Gartner, "Now is the time for security at Application Level," Dec. 2005.
2 G. McGraw, "Software assurance for security," IEEE Computer, vol. 32, pp. 103-105, Apr. 1999.   DOI   ScienceOn
3 G. McGraw and B. Potter, "Software Security Testing," IEEE Security and Privacy, Vol.2, pp.81-85, Sep. 2004.
4 B. Arkin, S. Stender and G. McGraw, "Software penetration testing," IEEE Security & Privacy, vol.3, pp. 84-87, Jan. 2005.
5 D.P. Gilliam , T.L. Wolfe, J.S. Sherif and M. Bishop, "Software Security Checklist for the Software Life Cycle," Proceedings of the Twelfth International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 243, Jun. 2003.
6 X. Zhang, L. Shao and J. Zheng, "A Novel Method of Software Vulnerability Detection based on Fuzzing Technique," Proceedings of the 2008 International Conference on Apperceiving Computing and Intelligence Analysis : ICACIA 2008, pp. 270-273, Dec. 2008.
7 V. Ganesh, T. Leek and M. Rinard, "Taint-based directed whitebox fuzzing," Proceedings of the 2009 International Conference on Software Engineering : ICSE 2009, pp. 474-484, May 2009.
8 D. Thiel, "Exposing Vulnerabilities in Media Software," Tech. Rep., BlackHat USA, Jul. 2007.
9 D. Kim and S. Cho, "Fuzzing-based Vulnerability Analysis for Multimedia Players," Journal of KIISE : Computing Practices and Letters, vol.17, no.2, Feb. 2011.(in Korean)
10 CVSS(Common Vulnerability Scoring System) home page: http://www.first. org/cvss
11 CWSS(Common Weakness Scoring System) home page: http://cwe.mitre.org/ cwss/
12 CVE(Common Vulnerabilities Enumeration) home page: http://cve.mitre.org/
13 CWE(Common Weakness Enumeration) home page: http://cwe.mitre.org/
14 Common Criteria, "Common Criteria for Information Technology Security Evaluation- Part 3: Security assurance components, Version 3.1," Sep. 2007.
15 K. Bang, I. Kim, J. Lee, J. Lee and J. Choi, "Classification Criteria and Application Methodology for Evaluating IT Security Products," Journal of Korea Knowledge Information Technology Society, vol.6, no.5, Oct. 2011. (in K-orean)
16 D. Kim and S. Cho, "An Analysis of Domestic and Foreign Security Vulnerability Management Systems based on a National Vulnerability Database," Journal of Internet and Information Security, vol.1, no.2, pp. 130-147, Nov. 2010. (in Korean)
17 Fortify Software, Inc. home page: http://www.fortify.com
18 J.A. Kupsch, B.P. Miller, E. Heymann and E. Cesar, "First Principles Vulnerability Assessment," Proceedings of the 2010 ACM workshop on Cloud computing security workshop, pp. 87-92, Oct. 2010.
19 Y. Son, "A Study on Software Vulnerability of Programming Languages Interoperability," Proceedings of the Advanced Computer Science and Information Technology Communications in Computer and Information Science, vol.195, pp. 123-131, Sep. 2011.
20 D. Kim, D. Seo, W. Yi and S. Cho, "An Efficient Vulnerability Management System for Utilization of New Information Technologies-related Security Vulnerabilities," Proceedings of the 37th KIISE Fall Conference, vol.37, no.2(B), pp. 66-71, Nov. 2010. (in Korean)
21 G. Kim and S. Cho, "Fuzzing of Web Application Server Using Known Vulnerability Information and Its Verification," Proceedings of the KIISE Korea Computer Congress 2011, vol.38, no.1(B), pp. 181-184, Jun. 2011. (in Korean)
22 보안뉴스, "디아블로3 사용자 계정 탈취용 악성파일 국내 등장," 호애진, 2012년 06월 - web site: http://www.boannews.com/media/view .asp?idx=31582
23 SANS Institute Reading Room web page: http://www.sans.org/reading_room
24 "Practical Threat Analysis for Information Security Experts," web page: http://www.ptatechnologies.com
25 NVD(National Vulnerability Database) home page: http://nvd.nist.gov/
26 Anti-Malware Test Lab. home page: http://www.anti-malware-test.com/?q =taxonomy/term/16
27 C.S. Collberg and C. Thomborson, "Watermarking, tamper-proofing, and obfuscation - tools for software protection," IEEE Transactions on Software Engineering, vol.28, pp. 735-746, Aug. 2002.   DOI   ScienceOn
28 M. Bauer, "New covert channels in HTTP: adding unwitting Web browsers to anonymity sets," Proceedings of the 2003 ACM workshop on Privacy in the electronic society, pp. 72-78, Oct. 2003.
29 M. Kim, J. Lee, H. Chang, S. Cho, Y. Park, M. Park and P.A. Wilsey, "Design and Performance Evaluation of Binary Code Packing for Protecting Embedded Software against Reverse Engineering," Proceedings of the IEEE International Symposium on Object/Component/ Service-Oriented Real-Time Distributed Computing 2010, pp. 80-86, May 2010.
30 S. Jana and V. Shmatikov, "Abusing file processing in malware detectors for fun and profit," Proceedings of the IEEE Symposium on Security and Privacy 2012, pp. 80-94, May 2012.
31 S. J. Murdoch and S. Lewis, "Embedding covert channels into TCP/IP," Proceedings of the 7th international conference on Information Hiding 2005, pp. 247-261, Jul. 2005.
32 C. Seifert, P. Komisarczuk and I. Welch, "True Positive Cost Curve: A Cost-Based Evaluation Method for High-Interaction Client Honeypots," in Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies, pp. 63-69, Jun. 2009.
33 SecurityFocus home page: http://www.securityfocus.com/
34 Process Explorer home page: http://technet.microsoft.com/en-us/sysintern als/bb896653.aspx
35 Windows Sysinternals Suite home page: http://technet.microsoft.com/en-us/sysinternals/bb842062